Remote Runner Deploy IAM Policy

This docs cover IAM role and permissions that jets uses to deploy your used by the CodeBuild Project, this runs on the remote machine.

The jets deploy command needs IAM permissions to deploy and create the AWS resources for your project. Here is a table of the services in the default policy in general:

  • API Gateway
  • CloudFormation
  • CloudFront
  • CodeBuild
  • DynamoDB
  • EC2
  • ECR
  • ECR Public
  • Events
  • IAM
  • Lambda
  • Logs
  • Route53
  • S3
  • SNS
  • SQS
  • STS
  • WAF
  • WAFv2

Note: Jets dynamically adds some of these permissions to the IAM Role only when needed, e.g., EC2 when using VpcConfig. The IAM permissions may change in the future as Jets evolves and we add features. We’ll try to update the permissions to this document as best we can but be aware it may be out-of-date. You can also submit a PR to help update this doc.

There are usually tradeoffs in engineering. The Jets default IAM permissions try to find a balance between overly strict permissions that may cause issues and user-friendliness and convenience. It is nearly impossible to please everyone. That being said, you can override the default Jets IAM permissions entirely and remove permissions. See: codebuild.iam.default_policy in Config Bootstrap. Just be aware, that you may incidentally remove a required permission.

Configuring Remote IAM Permissions

See: Remote Runner CodeBuild IAM Permissions.

Local vs vs Remote Deploy IAM Policy

The local and remote IAM policies are not the same. See Local vs Remote Deploy IAM Policy.

AWS Service Control Policies

If you believe you have granted all IAM permissions necessary, but are still getting IAM to deploy-related errors. Your AWS account might have Service Control Policies attached to the AWS account at the Organization level. You will need to check with your AWS Account Organization Administrator.

If you are the Administrator:

  • You can navigate to the AWS Organizations/AWS Accounts/Organizational structure section. From there, click on your account and proceed to the Policies tab to view the attached Policies.
  • You can also click on Policies side menu, the Service Control Policies link to see Available Policies. Click on each of them and check their Targets tab to see if they are attached to your AWS account.

In this section: